Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
athirat
Staff
Staff

Created on ‎06-13-2016 01:22 AM

Technical Note: How to limit the SSL and TLS versions of connections initiated by Forticlient

Description
This article describes how to control the SSL and TLS versions used by the FortiClient when connecting to SSL VPN.

Scope
FortiClient - All versions.

Solution
FortiClient uses the Internet Explorer SSL and TLS settings to initiate the SSL connection.

The versions used can be disabled and enabled by navigating to the following option on Internet Explorer:
Internet options > Advanced > Security
The options are shown in the following screenshot:

athirat_FD38852_tn_FD38852-1.jpg

Configuration CLI

Using the FortiGate CLI the same options can be selected as follows:
#config vpn ssl settings
    set sslv3 disable
    set tlsv1-0 disable
    set tlsv1-1 enable
    set tlsv1-2 enable
end
Verification of Configuration and troubleshooting

If there is a version mismatch, the connection would be seen to be terminating with no definite error in the SSL VPN debugs.

Packet captures would show the versions that are incoming.

Labels:
51545
0 Kudos
Contributors

Contact Us